have added workarounds such as disabling
PrivateNetwork=yes for autopkgtests
Cheers,
--
intrigeri
eports to track workarounds on top of #1050256 that's
tracking the root cause, or something.
Cheers,
--
intrigeri
on't need the functionality we've asked for in this
bug report. I wouldn't mind if the maintainers closed it.
Thanks for caring!
Cheers,
--
intrigeri
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri
AppArmor by
default and can apparently live with this bug.
Can you please make it explicit, e.g. describing what exact use cases
would be harmed by enabling AppArmor by default without fixing this
bug first?
Thanks in advance!
Cheers,
--
intrigeri
Hi Laurent & everyone else who's listening!
Laurent Bigonville:
> Le 03/09/17 à 13:01, intrigeri a écrit :
>> Laurent Bigonville:
>>> IMVHO, in regard to the recent proposal of enabling apparmor in debian
>>> by default, this needs to be addressed first.
>
uot;unrelated" breakage
has been fixed, and the reasons behind it clarified. What do
you think?
Cheers,
--
intrigeri
rofile that is not ready for prime time.
Adding AppArmor confinement where we had none previously can
come later.
Cheers,
--
intrigeri
c… minus the bug.
This might provide inspiration to whoever wants to fix this bug in
LXC :)
If these bugs are not tracked upstream yet: Felix, you seem to be the
one of us with the best understanding of the problem and you know
AppArmor pretty well, so perhaps you would be the best person to
report them?
Cheers,
--
intrigeri
Ben Hutchings:
> Yes, I now understand this. I'll add a Recommends: apparmor for the
> next upload so this broken configuration is less likely to occur.
Thanks!
Cheers,
--
intrigeri
ce/security
trade-off for Debian?
If it helps making a decision I could hunt for benchmark results (the
KSPP people tend to attach these to their pull requests when it
matters).
[0] https://outflux.net/blog/archives/2017/11/14/security-things-in-linux-v4-14/
Cheers,
--
intrigeri
Package: src:linux
Version: 3.16.7-ckt9-2
Severity: normal
In a level 1 KVM guest, starting a level 2 KVM guest with QEMU fails and
triggers "soft lockup" messages on the serial console. Then the level 1 KVM
guest becomes unresponsive.
That's a regression since Wheezy: this does not happen (ever
, while cryptsetup might not be
So at this point, I suggest this bug is reassigned to cryptsetup, and
option 3 is implemented there. But downgrading to non-RC and leaving
things as-is seems acceptable to me as well.
Thoughts?
Cheers,
--
intrigeri
vor downgrading the severity and
> merging the bugs for the time being.
Makes sense to me!
Cheers,
--
intrigeri
on't ensure that busybox is installed when the cryptsetup hook
needs it though. But that's another problem, and as Guilhem pointed
out it's well tracked elsewhere already.
Cheers,
--
intrigeri
p.org/wiki/Software/systemd/RootStorageDaemons/
* systemd-shutdown(8)
Cheers,
--
intrigeri
Hi,
intrigeri:
> I might try to come up with a hackish PoC for Tails soon
Here we go! Installing the four following files (slightly adapted to
drop a couple Tails-specific bits) on a Stretch system seems to do the
job. I hope it can allow interested people to validate this approach,
and then
also seems to have useful information about this.
Cheers,
--
intrigeri
nse to keep #827579 open.
Cheers,
--
intrigeri
Ilya Guterman:
> which means there is no such file in /lib/firmware/nvidia/
> you can add it by installing 'apt-get install firmware-linux-nonfree'
I cannot confirm this.
> intrigeri:
> it seems the firmwares are in debian,
In which package/version, exactly?
Control: reassign -1 linux-image-4.14.0-2-amd64
Control: found -1 4.14.7-1
Laszlo KERTESZ:
> So it happened again with no apparmor loaded.Twice.
Thanks for reporting! I'm therefore reassigning this bug to the
affected Linux kernel package.
Cheers,
--
intrigeri
.
Thanks!
Cheers,
--
intrigeri
/hypermail/linux/kernel/2104.3/01302.html
Ubuntu 22.04 LTS has this setting enabled by default.
KSPP recommends enabling it:
https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
Thanks for your attention,
cheers!
--
intrigeri
st other live systems, e.g. our incremental upgrades features
uses it) once I find the time to.
Cheers,
--
intrigeri
--
To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http
Hi,
intrigeri wrote (11 Dec 2014 13:13:43 GMT) :
> Ben Hutchings wrote (09 Dec 2014 19:55:10 GMT) :
>> Please try the Linux 3.18 packages from experimental (they're not there
>> yet, but should be soon) and check that overlayfs does what you need.
> Thanks. I'll test
Hi,
Ben Hutchings wrote (21 Dec 2014 23:20:15 GMT) :
> On Sun, 2014-12-21 at 21:53 +0100, intrigeri wrote:
>> 1. Due to overlayfs' stack depth limit of 2, until support more than
>>one read-only lower layer is completed, overlayfs breaks
>>live-boot's S
bug that tracks this issue:
https://bugs.launchpad.net/apparmor/+bug/1408106
Cheers,
--
intrigeri
--
To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/85a8zi1cxa@boum.org
overlayfs than a path-based MAC such
as AppArmor.
Cheers,
--
intrigeri
--
To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/85h9tpxn41@boum.org
Hi Debian Kernel Team,
intrigeri (2014-12-11):
> Ben Hutchings wrote (09 Dec 2014 19:55:10 GMT) :
>> Please try the Linux 3.18 packages from experimental (they're not there
>> yet, but should be soon) and check that overlayfs does what you need.
>
> Thanks. I'll te
with some trivial bug triaging.)
Cheers,
--
intrigeri
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
--
To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org
with a subject of &qu
d.
I would do it myself, if I were sure what exact version fixes it.
Cheers,
--
intrigeri
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
--
To UNSUBSCRIBE, email to debian-kernel-requ...@lists
think you'll have time to answer this request for additional
information sent by Ben a bit more than two months ago?
Also, it might be useful to try and reproduce this with Linux 3.13.x
from Debian unstable, if possible.
Cheers,
--
intrigeri
| GnuPG key @ https://gaffer.ptitcanardn
?S15:50 0:00
[ext4-dio-unwrit]
root 435 0.0 0.0 0 0 ?S15:51 0:00 [flush-254:5]
root 439 0.0 0.1 2596 1216 ?S
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @
https://gaffer.ptitcanardnoir.
e loaded at all. Should I?
Bye,
--
intrigeri
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @
https://gaffer.ptitcanardnoir.org/intrigeri/otr-fingerprint.asc
| Did you exchange a walk on part in the war
| for a lead role in the cage?
--
To
Hi,
Alex Deucher wrote (13 Aug 2010 16:06:17 GMT) :
> Can you try a newer kernel? 2.6.35.x preferably?
Already done, see message #56.
> Did hibernate ever work with kms for you?
No.
Bye,
--
intrigeri
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
en. SysRq keys don't work.
Bye,
--
intrigeri
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @
https://gaffer.ptitcanardnoir.org/intrigeri/otr-fingerprint.asc
| Then we'll come from the shadows.
--
To UNSUBSCRIBE, email to
but I
failed to find it anywhere; could it be expressed here please?
It seems to me another LSM (Tomoyo) has been included since 2.6.32-13
without satisfying these conditions, hence my wondering.
P.S.: please Cc me or the bug - I don't read debian-kernel.
Bye,
--
intr
kage proper, so that all users of Debian (and
derivatives) who need it can easily enable this feature.
What do you think?
Bye,
--
intrigeri
--
To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@
uld be
closed as well.
OTOH, I have since asked for memtest to be enabled for totally
different reasons, see #646361.
Cheers,
--
intrigeri
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
| So
for default
Debian installations.
So, I suggest we keep the default value ("1") for Jessie.
The beginning of the Jessie development cycle seems like a good time
to bring such changes in, so I suggest Yama is enabled in our 3.8+
kernels once the kernel team is done with their last Wheezy
ackage.
Cheers,
--
intrigeri
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
Index: debian/config/config
===
--- debian/config/config (re
my initial bug report
(shyly) talked of the compatibility patch to solve both "network
mediation does not work at all" issue and the introspection ones,
so it would be absolutely wonderful if you could apply the part of the
compatibility patch that deals with network too (FTR, this would
intrigeri wrote (31 May 2012 13:14:13 GMT) :
>> Looking back over the bug log, I see that wasn't requested, so I'm
>> only applying 'AppArmor: compatibility patch for v5 interface' now.
Unfortunately, the resulting kernel (linux-image-3.2.0-2-amd64
3.2.19-1), comb
Package: linux-2.6
Severity: normal
Version: 3.2.19-1
Tags: patch
X-Debbugs-CC: john.johan...@canonical.com, k...@debian.org, mi...@riseup.net
Hi,
the AppArmor compatibility patch applied to fix #661151
totally breaks AppArmor support; this is a regression.
Details: http://bugs.debian.org/cgi-bin
Hi,
Michal Suchanek wrote (05 Aug 2011 12:08:37 GMT) :
> At the very least the libc nss modules are required in intramfs to
> get dns lookup for netbooting. Splashscreen solutions like plymouth
> might need some of the graphics rendering modules.
I think it would be useful to mark as blocked by t
y are not task related
>>> +*/
>>> + if (in_interrupt())
>>> + return 0;
>>
>> I wonder why this is being checked at all.
>>
> Good question, I will have to dig into it.
John, have you had a chance to?
Cheers,
--
intrig
s harmless or
>> else get a fix for it.
>>
> Right this breaks the controls over quieting of denial messages. Basically
> if policy specifies a reject should not be logged then the global controls
> that turn quieting off so that all rejects get logged aren't working
Hi,
Ben Hutchings wrote (23 Jun 2012 19:02:06 GMT) :
> What is it that you think will happen at the freeze? We stop fixing
> all bugs and do nothing for the next few months?
Of course, and we'll lazily eat lots of icecream while you work hard
to release many shiny new Linux 3.2.x :)
Irony set as
Package: linux-2.6
Severity: wishlist
X-Debbugs-CC: tails-...@boum.org
User: tails-...@boum.org
Usertags: testing
Hi!
Please build dummy_hcd and g_mass_storage modules.
The USB dummy HCD and Mass Storage Gadget would be very useful to
implement automated testing of Live systems such as Tails [0]
Hi Ben,
Ben Hutchings wrote (24 Jun 2012 22:12:00 GMT) :
> Couldn't you also use usbip for this?
Thank you for mentionning usbip, I did not know about it!
After a quick look at it, I must say I'm happy to learn about it, and
I may use it for unrelated tasks, but it does not really seem to be
fit
maximilian attems wrote (18 May 2011 16:29:43 GMT) :
> tags 468115 + pending
What happened to this patch / bug report ("Support for mount failure
hooks")?
--
To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debia
Michael Prokop wrote (23 Nov 2011 11:45:14 GMT) :
> maximilian: i've scheduled the patch for inclusion via
> mika/user_permissions.
Was this included eventually?
--
To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@list
Hi,
maximilian attems wrote (27 Jun 2011 10:13:07 GMT) :
> tags 627547 + pending
Was this fixed eventually?
Year-old pending tag makes me doubtful, but I did not find any
reference to this bug in the changelog, so, I'm wondering.
--
To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian
Hi,
berta...@ptitcanardnoir.org wrote (27 Jun 2012 11:00:22 GMT) :
> On Wed, Jun 27, 2012 at 04:32:31AM +0100, Ben Hutchings wrote:
>> Yes, but I think it would make more sense to emulate a USB storage
>> device in qemu rather than the host kernel.
I do agree.
bertagaz and I have spent a bit mo
if you want to, I won't complain ;). The purpose of this bug
report is rather to allow us to mark other bugs, reported against the
AppArmor userspace tools, as blocked by the lack of kernel support.
[1] http://lists.debian.org/debian-derivatives/2012/02/msg9.html
Cheers,
--
intrigeri
tches/$LATEST/ directory of the apparmor 2.7.x tarball?
Or have you got updated patches, e.g. for Linux 3.2.x, published
somewhere to be found?
Thanks,
--
intrigeri
--
To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org
with a subject of "unsubscribe". T
nd this is why the v5 compat' patches got recently reverted
in Precise's kernel tree, right?
> Though those will require a more recent userspace.
John: that will be called 2.8, right?
Regards,
--
intrigeri
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrige
ore
precisely to the commits of the new interface that have been
upstreamed already, and to the ones that have not been, so that we can
get a rough idea of where things are at.
Kees, others, what do you think?
Regards,
--
intrigeri
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intr
connections
Regards,
--
intrigeri
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
--
To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org
with a subject of "unsubscribe". Tro
58 matches
Mail list logo
